[#1374] datastore:use bind params instead of string formatting

ckan · Feb 10, 2015 · 0cf8a2c · 0cf8a2c
1 parent 6935648
commit 0cf8a2c
Showing 1 changed file with 3 additions and 4 deletions.
diff --git a/ckanext/datastore/plugin.py b/ckanext/datastore/plugin.py
@@ -180,10 +180,9 @@ def _read_connection_has_correct_privileges(self):
         try:
             write_connection.execute(u'CREATE TEMP TABLE _foo ()')
             for privilege in ['INSERT', 'UPDATE', 'DELETE']:
-                test_privilege_sql = u"SELECT has_table_privilege('{user}', '_foo', '{privilege}')"
-                sql = test_privilege_sql.format(user=read_connection_user,
-                                                privilege=privilege)
-                have_privilege = write_connection.execute(sql).first()[0]
+                test_privilege_sql = u"SELECT has_table_privilege(%s, '_foo', %s)"
+                have_privilege = write_connection.execute(
+                    test_privilege_sql, (read_connection_user, privilege)).first()[0]
                 if have_privilege:
                     return False
         finally: